Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cookieless Web Tracking Using HTTP's ETag

Posted by timothy on from the ah-there-you-are-again dept.

An anonymous reader writes "There is a growing interest in who tracks us, and many folks are restricting the use of web cookies and Flash to cut down how advertisers (and others) can track them. Those things are fine as far as they go, but some sites are using the ETag header as an identifier: Attentive readers might have noticed already how you can use this to track people: the browser sends the information back to the server that it previously received (the ETag). That sounds an awful lot like cookies, doesn't it? The server can simply give each browser an unique ETag, and when they connect again it can look it up in its database. Neither JavaScript, nor any other plugin, has to be enabled for this to work either, and changing your IP is useless as well. The only usable workaround seems to be clearing one's cache, or using private browsing with HTTPS on sites where you don't want to be tracked. The Firefox add-on SecretAgent also does ETag overwriting."

34 of 212 comments (clear)

  1. Secret Agent by Jeremiah+Cornelius · · Score: 5, Interesting

    Here we come. :-)

    Add this feature to a chaff-creating plugin, to crapflood servers with fake tags.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
    1. Re:Secret Agent by kasperd · · Score: 3, Interesting

      Can SecretAgent detect tracking through ETags? Or will it disable ETags across all sites and thus slow down browsing by effectively turning caching off?

      The way I'd detect it would be with some extra background probes after a page has been loaded. The background probes start once the browser has finished loading and has become idle. Then the browser could open another connection and request the same resources again without sending any information, that could be tracked. If it receives a different ETag or different content this time around, it empties the cache for that domain and disables caching for that domain for a few hours.

      --

      Do you care about the security of your wireless mouse?
    2. Re:Secret Agent by KiloByte · · Score: 5, Informative

      Or will it disable ETags across all sites and thus slow down browsing by effectively turning caching off?

      ETags are only one of many methods to achieve caching. Getting rid of them shouldn't have a big effect on caching.

      Other methods typically have privacy holes as well, but it's easier to deal with them, for example by rounding timestamps down to the last midnight. ETags on the other hand store an arbitrary attacker-provided string, which is an outright security vulnerability.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    3. Re:Secret Agent by Wrath0fb0b · · Score: 2

      ETags on the other hand store an arbitrary attacker-provided string, which is an outright security vulnerability.

      I hate to break it to you, but the entire browser is nothing but a device for storing (and then parsing!) arbitrary attacker-provided strings. It's even got a perverse sort of link-chaining mechanism where, after receiving one such string, it will go out and fetch (and parse!) another one at the attacker's choice of address.

      This is not a security vulnerability, it's the design of the system in which there was never a requirement to ensure that a client could visit a server multiple times without the server knowing (or inferring) that it was the same client. It's meaningless to say that a protocol is vulnerable because it doesn't meet a property that it was never designed for (any more than RSA is broken because it doesn't offer repudiation).

      Now a client can always elect to send random e-tags, slowing himself down (most dynamic content is not time-cached) and adding to the bandwidth load on the server. I'm sure someone will cook up an extension that does this, and we'll be back to where we were before this non-story.

  2. Nothing new by deanrock0 · · Score: 5, Informative

    Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ from 2010.

    1. Re:Nothing new by Anonymous Coward · · Score: 3, Informative

      Did they just invent ETag or what? This "feature" is known for a few years and there are existing implementation, including this one: http://samy.pl/evercookie/ from 2010.

      The wikipedia article on ETag links to a page from 2003 discussing ETag's usability for tracking.

  3. Tracking $$$$ by Ed+The+Meek · · Score: 3, Informative

    Tracking information is worth billions of dollars. With that much money on the line - we'll be tracked like escaped inmates - one way or another.

    1. Re: Tracking $$$$ by Ed+The+Meek · · Score: 2

      Well, that sounds good in theory, but I doubt that any laws would be written in such a way as to actually cure the problem. Usually too many loopholes in the laws. Like the "established business relationship" in telemarketing laws. Oh, and there's always the NSA....

    2. Re:Tracking $$$$ by Concerned+Onlooker · · Score: 2

      I guess the corollary is that todays USA "conservative" is not that far away from Franco or Mussolini. (By the way, Hitler was not a leftist).

      Ease up on the hyperbole, eh?

      --
      http://www.rootstrikers.org/
    3. Re: Tracking $$$$ by grantspassalan · · Score: 2

      Is there a law that states that browser makers, such as Microsoft, Apple and others MUST include all that extraneous information that their browsers send to Web servers without the user's permission? Why must there be *any* information sent to a Web server other than the actual request for data? Why must a Web server know any information at all about what kind of an OS, sites last visited or whether or not a user has visited a site before? If these companies that make browsers really cared about privacy, they would enable their users to select which, if any, of this data to send out on the Internet. Perhaps somebody might get rich making a browser that allows users to return off the sending of all that extra information.

      --
      A sufficiently advanced simulation is indistinguishable from reality.
    4. Re:Tracking $$$$ by Ixokai · · Score: 4, Insightful

      The thing is, you're wrong.

      Very, very little of what Obama wants or has done is even close to what the progressives of the left actually want. Health care reform? He enacted the model proposed by the Republicans and devised by a right wing think-tank to create a market-based approach to near-universal healthcare: if you think the left is happy with Obamacare, you're not paying attention.

      Its simply *better*, and so we will stick with it. What the left wanted was a single-payer really universal healthcare, but we compromised and were willing to go along with the ACA as long as we'd get a single-payer *option*. Then that got dropped, but most of the left decided to support the ACA anyways because really, it was better then what we have now.

      Obama is a centrist; center-right in most issues, occasionally center-left. There is nothing even remotely radical about anything he's done, there's been no great pull to the left. The left has gone a bit farther left then we were a decade or so ago, but that's been in response to the monumental shift the right has gone.

      There's a wholesale assault on reproductive and fundamental voting rights going on from the right these days, which is just stunning in that these are things that *only* the most extreme of the right's base want.

      On civil rights, surveillance, foreign policy, environment, business regulation, ... and on and on, Obama is not at all in line with what the left wants. He's just not as bad as what the crazy people on the far right want.

      Yes, there are some narrow places where the far left and the libertarian wing of the far right actually agree, and its weird when it happens: but those are on very specific and very narrow issues. The problem with that libertarian wing is then they fall flat on their face in when the social conservative bloc of the far right has to be dealt with in primaries, and suddenly small government meets bedroom and private health, and oops.

  4. Secret Agent addon by Anonymous Coward · · Score: 2, Informative

    The addon's homepage appears to be this:
    https://www.dephormation.org.uk/?page=81

  5. Re:Firefox makes cache clearing difficult by Ambiguous+Puzuma · · Score: 5, Informative

    Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.

  6. Just clear the cache... by AliasMarlowe · · Score: 3, Interesting

    On all of our PCs, Opera and Firefox are set to clear their caches and delete all cookies etc. every time they exit.
    Also, I occasionally clear all private data while browsing in Opera, including the cache, cookies, history, and so forth (passwords are never saved by the browser). Obviously, I have to log in again the next time I visit slashdot.

    --
    Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    1. Re:Just clear the cache... by aliquis · · Score: 3, Interesting

      delete all cookies etc. every time they exit.

      I have to log in again the next time I visit slashdot.

      Too much work. Well, except if I'd never quit the browser but then it wouldn't make any difference.

    2. Re:Just clear the cache... by SGT+CAPSLOCK · · Score: 2

      Security is a trade-off. It's always going to take more work to set up and maintain security for yourself than it would to, say, remain traceable and insecure.

      If you're lazy, then you're certainly the best kind of target.

  7. Another Job for RequestPolicy by Jah-Wren+Ryel · · Score: 2

    The RequestPolicy add-on should handle this too. RequestPolicy blocks cross-site references by default and lets you whitelist individual cases. If you don't even talk to the tracker websites then they can't track you.

    If the main website you access tracks you via etags the risk is limited to tracking your actions on that website which you'd have problems avoiding anyway since they can track you via ip address or if you have an account on that website.

    --
    When information is power, privacy is freedom.
    1. Re:Another Job for RequestPolicy by Anonymous Coward · · Score: 4, Informative

      I use RequestPolicy, and it definitely isn't for most people. It increases the amount of effort needed to browse the web by a factor of ten.

      Every other site I go to is actually served from about two dozen separate locations. CSS comes from one domain, images come from as many as 6 domains, javascript comes from as many as 3 domains, and it isn't unheard of to see twenty different sets of trackers and widgets getting bolted on, not including the addidional baggage that they bring.

      It's fucking ridiculous.

      Oddly enough, sites hosting their own tracking will make RequestPolicy fail miserably, since it only deals with cross site refs. Such sites are the exception, though.

    2. Re:Another Job for RequestPolicy by Jah-Wren+Ryel · · Score: 2

      I find that about half the sites I go to don't require any whitelisting at all, another ~30% are good enough with white-listing only a couple of other sites (usually CDNs). But it does take a while to get the hang of guessing which are the required sites and which are just fluff and/or trackers.

      --
      When information is power, privacy is freedom.
  8. They just don't seem to get the message by Somebody+Is+Using+My · · Score: 4, Interesting

    I always imagine the webserver as having an internal conversation that goes sort of like this...

    Hey, a new visitor to the website? I wonder who he is?
    Well, I'll just drop a cookie on there to keep track of him... and, hmm, it seems he's blocking cookies.
    Oh well, let me just insert this bit of Javascript; that'll work just as well.
    Dear oh dear, it seems Javascript isn't working.
    No worries, I'll just insert a little 0-byte web-bug graphic and... wait? That's prevented as well?
    Damn it, Flash-cookie! That'll get him! WHAT?!?!? Disabled as well?
    E-Tag! That has to work, right?
    ARGH!!!!!

    Gee... I wonder if he's trying to tell me something like, oh I don't know, "I don't like being tracked".

    Nah, who doesn't like being pushed, filed, stamped, indexed, briefed, debriefed, or numbered? I wonder if there's some other way I can use...

    You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways. All these technologies have valid uses but have been so abused by corporations and marketing that people increasingly don't trust it anywhere. It just further antagonizes the very people they are trying to connect with. And then they wonder why they lose the respect and trust of their customers, resulting in an ever-more aggressive relationship between the two.

    Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising. What repercussions might that have had on the world as a whole?

    1. Re:They just don't seem to get the message by CRCulver · · Score: 2

      Some days I dream about what the Internet might have been like had Canter and Siegel been definitively smacked down back in '94, setting an inviolable precedent that the 'Net was not a platform welcoming /any/ advertising.

      The global economy would be smaller and internet access would be less available worldwide. Once the model of advertising-supported services arose, people in the third world could have nice things like e-mail and entertainment in spite of their countries' lack of means or an infrastructure where individuals could pay for whatever they used themselves.

      It's easy for someone in the West to say, "They should just bill you $20 a month for your usage of service x, and get rid of advertising", but try to be considerate of the rest of the world.

    2. Re:They just don't seem to get the message by bbn · · Score: 4, Funny

      E-Tag! That has to work, right?
      ARGH!!!!!

      Gee... I wonder if he's trying to tell me something like, oh I don't know, "I don't like being tracked".

      By this point you are being tracked as the guy that blocked everything else. There is only going to be one of you.

    3. Re:They just don't seem to get the message by mcgrew · · Score: 2

      Some of us don't like being stalked by the government or the corporations that own it.

      --
      Free Martian Whores!
    4. Re:They just don't seem to get the message by mopower70 · · Score: 3, Interesting

      You might think at this point that companies and advertisers start getting the message. Instead, they just keep finding more and sleazier ways. All these technologies have valid uses but have been so abused by corporations and marketing that people increasingly don't trust it anywhere.

      I'm honestly curious here. Advertising isn't going away. It's what keeps the Internet "free". So you're saying you'd rather have completely irrelevant advertising than stuff you may actually be interested in? When I'm in the market for any kind of product, I actively seek out sources of advertising to survey what's available. Being flooded with irrelevant information and advertisements (like happens on the radio and television) is personally unnecessary but financially necessary noise to provide the content I want. I'll take trackers any day over having to pay for every single site I visit.

    5. Re:They just don't seem to get the message by maxwell+demon · · Score: 2

      What do you suppose the intended consequences were, then?

      Less network traffic.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    6. Re:They just don't seem to get the message by Anonymous Coward · · Score: 3, Interesting

      Yes, that's what I'm saying. I don't want these people to know what I want. They have proven that they will take advantage of that, and try to make me impulse-buy things when I'm at my most vulnerable to targeted ads.

      Ads are not a good way to form a worthwhile opinion on what product is the best for you, the consumer. They're designed to drown out the competition and are practically worthless for making a judgement call, unless you happen to notice it's something you already wanted that has a special-offer.

      Without competition, ads are no more relevant than they were without being targeted. I've seen no evidence of more competition with more targeted ads. I just get the same products over and over, from whomever can afford the most ads. It's not a healthy situation for commerce.

      Plus, if it's something I'm going to buy, I'll buy it. I don't need an ad asking me to click on it while I'm doing other things. I'd rather the business model was revamped than the customer's privacy model.

      If ads can sustain the web as-is, then I don't see a need to "upgrade" them. And if they can't, then it's just another reason to revamp the business model instead of desperately clinging to it.

    7. Re:They just don't seem to get the message by Arrogant-Bastard · · Score: 2

      You know, we had a "free" Internet long before the advertising filth showed up and began polluting it. They are expendable, although they would certainly like you to believe that they're not. "Oh noooes the free sites could go away with advertising!!"

      Yes, they could. So what?

      Newcomers (anyone who didn't have an address ending in .ARPA is new) are directed to study the history of the 'net. Those of adequate perception will quickly realize that it was flourishing WITHOUT the hordes of imbeciles, WITHOUT the masses of illiterates, WITHOUT the tracking and ads and spam. Our mistake was not crushing these out of existence with ruthless ferocity as soon as they appeared: every ignorant newbie should have been flamed to oblivion, every spammer's business destroyed. We were far too nice and far too tolerant, and thus...look at what we have now. But it didn't have to turn out that way. And it still doesn't. The situation is fixable.

      Ads don't reach because I have those sites firewalled or null-routed. I don't care to look at them or have my extremely valuable time and resources wasted by them. Nor do I wish to be exposed to the malware and other attacks carried by an increasing number of them. I recommend this same approach to others: block them at your network perimeter: ALL of them. Yes, this will have consequences -- good consequences. It passes the "what if everyone did it? test because if that happened it would starve the ad networks of revenue and deprive of the resources they require to engage in ever-more-intrusive tracking and data collection on Internet users. Everyone won't do that, of course: but those who do will reap at least some of the benefits. Perhaps that will be enough. I certainly hope so.

  9. Panopticlick is another method by danceswithtrees · · Score: 5, Interesting

    The ETag method is a clever solution to cookieless tracking. I find this method I stumbled upon a couple of weeks ago a bit startling. I had no idea the amount of information routinely sent from my browser/computer to web servers-- information about plug-ins, time zone, screen resolution, accepted headers, etc WITHOUT letting me know. It is enough to give more than 21 bits of identifying information and uniquely identifies me among the 3M visits.

    https://panopticlick.eff.org/

    1. Re:Panopticlick is another method by nmb3000 · · Score: 2

      The ETag method is a clever solution to cookieless tracking. I find this method I stumbled upon a couple of weeks ago a bit startling. I had no idea the amount of information routinely sent from my browser/computer to web servers-- information about plug-ins, time zone, screen resolution, accepted headers, etc WITHOUT letting me know. It is enough to give more than 21 bits of identifying information and uniquely identifies me among the 3M visits.

      https://panopticlick.eff.org/

      Yep. It's absurd, and unfortunately many "privacy-enhancing" tools (for example, anything that alters the user agent) can actually make a browser more unique rather than less-so.

      NoScript is an exception, and one that works very well. I know it's parroted on Slashdot a lot, but if you care about privacy and security on the web there isn't a single better option. Using Panopticlick on my browser as an example:

      Without NoScript: Your browser fingerprint appears to be unique among the 3,316,576 tested so far. Currently, we estimate that your browser has a fingerprint that conveys at least 21.66 bits of identifying information.

      With NoScript: Within our dataset of several million visitors, only one in 2,433 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 11.25 bits of identifying information.

      Still not great, but a lot better than unique. It's quite unfortunate that the web evolved with the assumption that arbitrary code may be executed in the browser. If we had started out instead with an opt-in approach to Javascript, I think things would be quite a bit better now in terms of privacy and security than they currently are.

      --
      "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
      /)
  10. Re:Firefox makes cache clearing difficult by seyyah · · Score: 5, Funny

    Or you can press Ctrl+Shift+Del. One of the options (which should already be checked if you used it last time) is to clear the cache. A three-key combination and a button click and you're done, with no plugins needed.

    I also like the Ctrl+Alt+Del option. I've yet to see a website that can track me after that.

  11. Re:Firefox makes cache clearing difficult by Mike+Frett · · Score: 2

    Edit>Preferences>Privacy Tab> Check 'Clear History When Firefox Closes' and click Settings to select what to clear on Exit. How is that difficult? Note: This is for the Linux version, I dunno about Mac/Win.

  12. ETag leaks between Incognito mode and regular mode by ThatsMyNick · · Score: 4, Informative

    It also seems to leak info between regular windows and incognito mode in chromium. I assume the cache is shared between the modes, and they need separate caches.

  13. Re:Can't talk to trackers? by nmb3000 · · Score: 2

    I know, replying to APK about magical hosts files is pointless, but here we go anyway:

    Can you answer these two questions:

    How many domains and subdomains does Facebook operate?
    Please make sure to include those added in the last 4 hours!

    Can you enumerate every domain used to host advertising and/or malware on the planet?
    Please make sure to account for dynamically changing and the infinite number of wildcard domains!

    If you cannot give me exact answers, then your hosts file method is useless and obsolete. Please wake up and stop peddling your crap here.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
  14. Re:Firefox makes cache clearing difficult by zippthorne · · Score: 2

    If you're messing with fstab, why not just mount it to its own tmpfs?

    --
    Can you be Even More Awesome?!